The shady tendency to hack DeFi protocols is still very much alive this year. The last victims were Alpha Finance Lab and Cream Finance, which were hacked this Saturday by around $37.5m through a flash loan attack. Luckily, the users weren’t affected as such, but the CREAM price quickly fell by over 34%.
According to the report published by Alpha Finance after the attack, the exploit was targeted to their Ethereum protocol Alpha Homora V2, which is for “leveraging your position in yield farming pools”. The hacker did more than nine transactions involving flash loans, using this protocol to borrowing sUSD in the Cream’s Iron Bank.
The attacker manipulated the liquidity in the original pool in Homora Bank, ending up borrowing huge amounts of WETH, USDC, USDT, and DAI from the Iron Bank. They repeated the process and the flash loans till snatching over $37m directly from the protocols. That’s why the user’s funds weren’t affected this time.
“The debt is not between users and Alpha Homora v2, but between Alpha Homora V2 and Cream V2. This is because Alpha Homora V2 is integrated with Cream V2 (Iron Bank) in a protocol-to-protocol lending way. Thus, the debt is between the two protocols and not the users. Alpha team will work with Andre [Cronje, YFI founder] and Cream team to find remedial actions to resolve the debt”.
Now, as indicated by Cream Finance on Twitter, their smart contracts and markets were investigated and they’re functioning as usual. For its part, Alpha Finance has already patched the vulnerability, and they’ve also declared that they’ll be working with more audit firms and trusted builders to improve the contracts in the future.
Yearn Finance (YFI) was hacked too
The Alpha Homora’s wasn’t the first hack of the year, sadly. SushiSwap was hacked in late January, and, barely last week, Yearn Finance (YFI) was attacked too. The attacker used then a very complex exploit with flash loans and involving over 160 transactions between the protocol Aave and the YFI DAI vault. The latter lost around $11m, while the hacker kept $2.8m after the costs produced by the attack itself.
The price of the YFI token decreased by around 15% after the attack, but it has recovered very well since then. To deal with the losses, the team of Yearn Finance opened a Maker vault from their treasury to mint 9.7m DAI and make the attacked vault whole again for the users. They say this would be a one-time occurrence, though. So, they’re recommending buying coverage from the protocol Cover.
Meanwhile, against all odds, the DeFi ecosystem continues to grow. According to CryptoSlate, the total market capitalization for DeFi assets is over $66.45b, and they have grown by 18% during the last week. The total value locked in these protocols ascends to $40.6b [DefiPulse], and it’s been rising all month.
Featured Image by Markus Trier / Pixabay
Originally published at https://blog.alfa.cash on February 13, 2021.